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Abstract 

Logicians at the Renyi Mathematical Institute in Budapest have spent several years de- 
veloping versions of relativity theory (special, general, and other variants) based wholly on 
first order logic, and have argued in favour of the physical decidability, via exploitation of 
cosmological phenomena, of formally undecidable questions such as the Halting Problem and 
the consistency of set theory. 

The Hungarian theories are very extensive, and their associated proofs are intuitively very 
satisfying, but this brings its own risks since intuition can sometimes be misleading. As part 
of a joint project, researchers at Sheffield have recently started generating rigorous machine- 
verified versions of the Hungarian proofs, so as to demonstrate the soundness of their work. 
In this paper, we explain the background to the project and demonstrate an Isabelle proof of 
the theorem "No inertial observer can travel faster than light" . 

This approach to physical theories and physical computability has several pay-offs: (a) 
we can be certain our intuition hasn't led us astray (or if it has, we can identify where this 
has happened); (b) we can identify which axioms are specifically required in the proof of 
each theorem and to what extent those axioms can be weakened (the fewer assumptions we 
make up-front, the stronger the results); and (c) we can identify whether new formal proof 
techniques and tactics are needed when tackling physical as opposed to mathematical theories. 

Categories and Subject Descriptors: F.4.1 [Mathematical Logic and Formal Languages] 
Mathematical Logic — Mechanical theorem proving; 3.2 [Computer Applications] Physical Sci- 
ences and Engineering — Physics 

General Terms: Theory, Verification 

Additional Key Words and Phrases: First-order relativity theory, hypercomputation, physics and 
computation 



1 Introduction 

In his seminal analysis of computation, Turing Tur36 discussed the nature of human computation, 
and showed that certain tasks - most famously, the Halting Problem (HP) - are not decidable 
by computational means. Subsequent theoretical investigation by various researchers suggests, 
however, that physical systems may exist which can in fact decide HP by exploiting cosmolog- 
ical phenomena |Hog92[ IEN931 IEN021 |Hog04[ IManlOl I ANSI 2] . This claim is, of course, highly 
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controversial; we therefore begin by explaining the loophole in Turing's analysis which allows 
'hypercomputational' systems of this kind to be designed [Sta06 , Stal3j . 

We then focus on one particular scheme for cosmological hypercomputation |EN02] . and con- 
sider the extent to which it rests on secure logical foundations. Doing so will require us to explain 
recent work by the Hungarian team of Andreka et al, who have formalised a series of relativity 
theories (including special and general relativity) using first-order logic [AMN04 , AMNS08 . These 
first-order foundations ensure that their theories are easy to reason about, but also introduce a 
number of nonstandard features. We have, therefore, recently started a joint project verifying 
their theories using the Isabelle proof assistant |Wenl2] . We explain our approach below, and 
outline an Isabelle proof of the well-known statement "No inertial observer can travel faster than 
light" |Ein20, AMNS12 . Finally, we summarise the work that remains to be done, and invite 
participation in the solution of several open questions. 



2 Circumventing Turing's analysis 

Turing's |Tur36{ analysis of (human) computation provides a convincing demonstration that cer- 
tain problems cannot be solved by computational means. In particular, if Pq, P\, P 2 , • ■ • is a fixed 
enumeration of all program^] that take a single natural number as input, it is not possible to 
compute the function HP: NxN4 {yes, no} given by 



HP(m,n) 



if Pm ( n ) w iU eventually halt 
otherwise 



Powerful as it is, Turing's analysis is nonetheless susceptible to attack due to an unexamined 
assumption built into his description of human computation. For, as he explains |Tur50] : 

The human computer is supposed to be following fixed rules; he has no authority to 
deviate from them in any detail. We may suppose that these rules are supplied in a 
book, which is altered whenever he is put on to a new job. He has also an unlimited 
supply of paper on which he does his calculations. He may also do his multiplications 
and additions on a "desk machine," but this is not important. 

In fact, the consequences of using a "desk machine" cannot be so readily dismissed, because this 
implies that the computation may involve coordination between two physically separated agents 
(the human and the machine) [Stal3J . Being physically separated, the two agents may be subject 
to different forces and accelerations, and this can affect the rate at which they perceive each 
other's clocks to be running. This in turn provides scope for extreme computational speed-up, 
to the extent that HP becomes solvable. For example, astronomical observations suggest the 
presence of a massive slowly rotating ("slow Kerr") black hole at the centre of the Milky Way 



GET+09] , Such black holes are associated, in relativity theory, with a computationally useful 
spacetime geometry {Malament-Hogarth spacetime [EN93] ). containing a worldline w and a point 
p (not on w), with the following properties: 

• w has infinite proper length; 

• it is possible to send a signal to p from any point along w. 

Suppose, then, that we are given m and n, and want to determine whether or not P = P m (n) 
will eventually halt. We send a PC along w having first loaded an interpreter with behaviour: 

run P ; 

send a signal to spacetime location p 



1 For simplicity, we will think of programs as being written in a modern high-level language, running on a 
standard PC with access to unbounded memory. 
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If P doesn't halt, the second instruction will never be reached, and no signal will be sent. On 
the other hand, because w has infinite proper length, the PC has unbounded time available to 
it for its computation, and so P has enough time to run to completion if this is its underlying 
behaviour. Consequently, a signal will arrive at p if and only if P m (n) eventually halts. It is 
therefore enough for us to follow a trajectory that takes us through p. When we arrive there, we 
look for the presence of the signal, saying yes if the signal is present, and no otherwise. 

3 Logical foundations 

We now turn to Andreka et al's [AMN04I IAMNS12] first-order formalisation of relativity theory. 
This focus on first-order logic (FOL) is motivated by several important considerations. Foremost 
is the Hungarian team's desire to demystify relativity theory by expressing its postulates and 
conclusions in a form that is intelligible to as large an audience as possible. By choosing simple 
language and a very simple axiom system, the underlying assumptions of the theory are made 
as straightforward as possible (see Sect. 14.21) . while the use of first-order logic and its simple 
reliance on Modus Ponens makes it relatively easy for newcomers to follow the proofs. Having 
reformulated relativity in purely logical terms, the group is also able to investigate which axioms 
underpin which results and which are superfluous. Given the physical nature of the theory in 
question, this information can then be reflected back into physics: if an axiom plays no role in 
establishing an experimentally observed result, then that result can neither support nor undermine 
the validity of the axiomatic property in question. 

It is important to note, however, that the use of first-order logic has important consequences 
when attempting to model physical phenomena, because FOL is not powerful enough to char- 
acterise the real number field, R - the numbers typically used to represent coordinates, masses, 
and so forth, in physical models. Consequently, many of the real-number properties we take for 
granted in physics, like the existence of limits of bounded sequences, are unavailable in a rigor- 
ous first-order logical proofH For example, the statement that any decreasing sequence of real 
numbers, bounded below, has a greatest lower bound is not a first order statement, because it 
refers to ordered sets of real valuesH Moreover, as Andreka and her colleagues have shown, many 
interesting theorems can be proven using less restrictive fields like the rationals, Q, for which the 
real-number property every positive number has a positive square root failt@ (such fields are said 
to be non- Euclidean), cf. |Sze09] . 

3.1 The need for formal verification 

Given that "first-order numbers" need not exhibit the properties typically expected of them by 
physicists, it is important that we treat traditional explanations of relativistic phenomena with 
caution. To this end, and as part of a Royal Society International Exchanges Scheme project, 
researchers in Sheffield joined forces with the Hungarian team at the start of 2012, to develop a 
comprehensive formal framework for relativity theory, with full machine- verification of all derived 
theorems. To the best of our knowledge, this is the first time such a large-scale physical theory has 
been treated in this way (but cf. |GS11| ISBT12] ). and it is hoped that the lessons learned will be 
useful in extending the approach more widely. The project has been planned in four main stages, 
and it is hoped that the end result will be a formal machine- verified proof of the controversial claim 
that the power of a computational system depends on the nature of its spacetime environment, 
with super- Turing capabilities emerging in the context of more complex spacetime geometries. 
The project itself has four broad aims: 

2 For completeness, we note that this difficulty can be solved within FOL by focussing attention on definable 
sets. 

3 There are fields which have the same first-order properties as R, but which contain infinitesimals. In such a 
field, the bounded decreasing sequence y > ^ > ^ > . . . has no greatest lower bound. For suppose a were its 
greatest lower bound; then given any positive infinitesimal e, the value (1 + e)a would be a slightly larger lower 
bound, thereby contradicting the definition of a. 

4 The statement cited is first-order: (\/x).((x > 0) — > (3y.((y > 0) A (y X y = x)))). 
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1. Implement first-order axiomatizations of general relativity using the proof assistant Isabelle 
|Wenl2j : 

2. Add a general model of computational mobility to the theory, to enable the modelling of 
computations carried out by machines travelling along specific spacetime trajectories; 

3. Consider how the power of these computational systems changes according to the underlying 
topology of spacetime [CVGS12] : 

4. Select a recursively uncomputable problem P (for example, the Halting Problem) and 
machine- verify the following claims: 

(a) in simpler relativistic settings, P remains uncomputable; 

(b) in some spacetimes, P can be solved. 

Taken together, these steps are intended to add weight to the claim that the computational 
power of a device depends on the physical setting in which it finds itself. 

4 The theories and their implementation 

There are various versions of relativity theory, depending on what is being modelled. For special 
relativity (SpecRel) the two key axioms (suitably formalised) are |Ein20j : 

Principle of relativity: The laws of nature are the same for every inertial observer; 

Light postulate: Any ray of light moves in the 'stationary' system of coordinates 
with the determined velocity c, whether the ray be emitted by a stationary or by a 
moving body; 

while for general relativity (GenRel) we add the 

Equivalence Principle: It is not possible to distinguish between the effects of accel- 
eration and those of gravity. 

In addition to special and general relativity, Szekely and his colleagues have made a detailed 
study of accelerated observers (with or without the equivalence principle in place). The corre- 
sponding theory, AccRel, provides a convenient stepping stone from special to general relativity 
[Sze09j . 

Our Isabelle implementation^ has been constructed in three parts, a program structure that 
ensures that different versions of relativity theory can easily be added later. For example, to add 
GenRel we would simply add a new file GenRel. thy which merges the required axiom classes 
and includes proofs of relevant theorems. We focus here on the first-order theory SpecRel of 
special relativity. This theory is 2-sorted, the sorts being Quantities (the values used to specify 
coordinates, speeds, masses, etc) and Body (bodies or test particles). 

4.1 Background geometry (SpaceTime . thy, approx. 830 lines) 

This Isabcllc/HOL code file models the geometric structures common to all models of spacetime 
(Vectors, Points, Lines, Planes, Cones), each represented as a separate record structure with 
axioms attached. The axioms describe basic geometric relationships including, for example, what 
it means for three points to be collinear, what it means for two vectors to be orthogonal, and so 
forth. In particular, a key lemma for our main proof is the assertion that distinct parallel lines 
cannot meet (the proof is by contradiction). Having defined these classes, we take SpaceTime to 
be their conjunction: 



5 The files referred to in this paper are available from http : //www. des . shef . ac.uk/~mps/isabelle/noFTLobserver 
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class SpaceTime = Quantities + Vectors + Points + Lines + Planes + Cones 

The set of Quantities is assumed to carry an ordered field structure. We shall sometimes 
need to assume that the field is also Euclidean - i.e., that square roots exist for positive values - 
but this is not a general requirement, so it will be added as a separate axiom class later. Since 
Isabellc/HOL already includes a suitable class, the implementation of Quantities is particularly 
simple: 

class Quantities = linordered_f ield 

For simplicity we assume that spacetime is (1 + 3)-dimensional (one time dimension + three 
space dimensions), so that Points and Vectors are both specified as 4-tuples of Quantities. In 
more complex relativity theories, we allow both the number of space dimensions, and the number 
of time dimensions, to vary. Lines are specified by giving a point (the line's basepoint) and a 
vector (its direction), while planes are specified by a basepoint and two vectors. 

Because we are dealing here with special relativity, all lightcones can be considered to be 
'upright' (for general relativity we need to allow cones that are 'tilted' by curvature effects); each 
cone can therefore be specified by giving a point (its vertex) and a quantity (its slope). However, 
the freedom with which we can specify quantities has certain concomitant side-effects, and these 
need to be taken into account. In real-number physics, we would consider the slope of the cone 

x 2 + y 2 + z 2 = at 2 where a > 

to be y/a, but when Quantities is non-Euclidean we cannot be certain that y/a is defined. 
Consequently, we take the slope of the cone to be a rather than y/a, and adjust all associated 
formulae and proofs accordingly. 

4.2 Axioms (Axioms. thy, approx. 260 lines) 

This file includes various axioms used by the Hungarian group, each implemented as a separate 
class. Different relativity theories can then be constructed by merging the relevant axiom classes 
and omitting those that are not required; we focus here on the axioms that will be needed to 
specify SpecRel. 

The axioms describe the events in which bodies can participate, and how their descriptions 
change from one observer's viewpoint to another. Here, a Body can be either a photon (which 
always travels at constant speed) or an inertial observer (which always travels at constant speed, 
and in addition is capable of making observations). Since we do not assume a priori that the 
classes of photons and inertial observers are disjoint, we represent bodies using an Isabelle/HOL 
record structure: 

record Body = 
Ph : : "bool" 
I Ob : : "bool" 

For more complex relativistic theories we also need to consider non-inertial observers (those 
which can accelerate), as well as more general types of body, and in this regard the use of Is- 
abelle/HOL record structures is particularly convenient, since we can easily extend the Body 
record structure to include new descriptions. The distinction between inertial observers and more 
general body types emerges in these more advanced theories. For example, we demonstrate below 
that inertial observers can never travel faster than (what they consider to be) the speed of light, 
but this property need not be provable of more general bodies [NS12I ISzel2j . 

In addition to the ordered field axioms associated with Quantities, SpecRel is formally gen- 
erated using just the four axioms described below (AxPh, AxEv, AxSelf , AxSym), but in practice 
we have found it sensible to replace Quantities with a larger WorldView class (below) so as 
to have available the necessary abbreviations and functions. This simplifies proofs considerably. 
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Moreover, our proof that inertial observers cannot travel faster than light requires us to find the 
intersection of a line with a cone, and this in turn requires the existence of square roots - we have 
therefore included the Euclidean axiom (AxEuclidean). Finally, we make use of various additional 
properties of cones, lines and planes (given in SpaceTime . thy). These define various relatively 
complicated concepts, such as what it means for a plane to be tangent to a (light)cone: 

class Cones = Quantities + Lines + Planes + 
fixes 

tangentPlane :: "'a Point =>■ 'a Cone =>■ 'a Plane" 

assumes (* The basepoint of the tangent -plane-at-e is e *) 
AxTangentBase : "pbasepoint (tangentPlane e cone) = e" 

and (* The tangent plane contains the vertex *) 

AxTangentVertex: "inPlane (vertex cone) (tangentPlane e cone)" 

and (* The tangent plane meets the cone in a line *) 
AxConeTangent : " (onCone e cone) — > 

(inPlane pt (tangentPlane e cone) A onCone pt cone) 
< — > collinear (vertex cone) e pt)" 

and (* The tangent plane is tangential to all cones with vertex 
in that plane, and the intersection lines are parallel. *) 
AxParallelCones : "(onCone e econe A e 7^ vertex econe 
A onCone f fcone A f 7^ vertex fcone 
A inPlane f (tangentPlane e econe)) 

— > (samePlane (tangentPlane e econe) (tangentPlane f fcone) 

A ( (lineJoining (vertex econe) e) || (lineJoining (vertex fcone) f)))" 

and (* If f is outside a cone, there is a tangent plane to that cone which 
contains f . The tangent plane is determined by some e lying on 
the intersection line with the cone. *) 
AxParallelConesE: "outsideCone f cone — > (3e. (onCone e cone 
A e 7^ vertex cone A inPlane f (tangentPlane e cone)))" 

AxEuclidean 

This axiom states that every positive quantity has a positive square root, and defines the sqrt 
function. 

class AxEuclidean = Quantities + 
assumes 

AxEuclidean: " (x > (0::'a)) (3r. ((r > 0) A (r*r = x)))" 

begin 

fun sqrt :: " ' a => 'a" where 

"sqrt x = (SOME r. ((r > (0::'a)) A(r*r = x)))" 

end 

Notice, however, that we do not assume that the positive square root is uniquely defined 
(instead, this is a theorem). Consequently, even though sqrt is defined using the fun keyword, it 
is not in fact defined to be a function, because the use of SOME technically allows a different value 
to be selected each time sqrt is referenced. 
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The WorldView relation 

Two key features of first-order relativity theory are the worldview relation (W) and the worldview 
transformation (wvt). 

class WorldView = SpaceTime + 
fixes 

(* Worldview relation *) 

W :: "Body => Body 'a Point bool" ("_ sees _ at _") 
and 

(* Worldview transformation *) 
wvt :: "Body Body 'a Point 'a Point" 
assumes 

AxWVT: "[ 10b m; 10b k ] (W k b x < — > W m b (wvt m k x))" 
and 

AxWVTSym: "[ IDb m; 10b k ] (y = wvt k m x i — > x = wvt m k y) " 
begin 
end 

The relation W tells us which bodies an inertial observer m sees at each spacetime location. 
Thus, W m b p is True precisely when m considers the body (whether inertial observer or photon) 
b to be present at location p. We can use W to define various standard concepts; for example, the 
worldlinc of b (from m's point of view) is simply the set {p . W m b p}. 

The worldview transformation tells us how one observer's viewpoint is related to another. As 
AxWVT explains, if wvt m k x is y, this means that whatever k sees at x, m sees at y. 

AxPh 

The photon axiom says that for any inertial observer, the speed of light (c) is the same in every 
(spatial) direction everywhere and is positive. Furthermore, it is possible to send out a light signal 
in any (spatial) direction. (The auxiliary functions space2 and time2 give the squared spatial 
and temporal separations, respectively, of two spacetime locations x and y.) 

class AxPh = WorldView + 

assumes 

AxPh: "IOb(m) 

=► (3v. ( (v > (0: : 'a)) A ( Vx y . ( 
(3p. (Ph pAWmpxAWmpy)) 

i — > (space2 x y = (v * v)*(time2 x y)) 

))))" 
begin 

fun c :: "Body 'a" where 

"c m = (SOME v. ( (v > (0::'a)) A ( Vx y . ( 
3p. (Ph pAWmpxAWmpy)) 

< — > (space2 x y = (v * v)*(time2 x y)) 

)))" 

fun lightcone :: "Body =>■ 'a Point =>■ 'a Cone" where 
lightcone m v = mkCone v (c m) " 

(* various lemmas follow that are not included here *) 

Notice, however, that the speed of light is not assumed to be the same for all observers: the 
value c is therefore parametrised according to the inertial observer in question. As before, the use 
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of SOME suggests that c m need not be uniquely denned, but uniqueness becomes provable within 
SpecRel due to the inclusion of additional axioms. Note also that c p is technically specified 
when p is a photon; but in this case the precondition required to establish the value's existence 
cannot be established using AxPh. In this way we avoid the (non)question "at what speed does 
one photon consider another photon to be travelling?" 

AxEv 

The event axiom says that all inertial observers are participating in the same universe - if one 
observer sees two bodies meeting at some spacetime location, they all see them meeting (though 
they may disagree as to where that meeting takes place). 

class AxEv = WorldView + 
assumes 

AxEv: "I 10b m; 10b k J (3y. (Vb. (W m b x i — ► W k b y)))" 

begin 
end 



AxSelf 

The self axiom says that inertial observers consider themselves to be stationary in space (so they 
consider their worldline to be the time axis) 

class AxSelf = WorldView + 
assumes 

AxSelf: "10b m (W m m x) — > (onAxisT x) " 

begin 
end 



AxSym 

The symmetry axiom says that inertial observers agree as to the spatial distance between two 
spacetime events if these two events are simultaneous for both of them. 

class AxSym = WorldView + 
assumes 

AxSym: "[ 10b m; 10b k ] 

(WmexAWmfyAWkex' AWkfy' A 

tval x = tval y A tval x' = tval y' ) 
— > (space2 x y = space2 x' y')" 

begin 
end 



4.3 SpecRel (SpecRel .thy, approx. 340 lines) 

This file defines the theory SpecRel, 

class SpecRel = WorldView + AxPh + AxEv + AxSelf + AxSym 
(* 

The following proof assumes that the quantity field is Euclidean. 

*) 
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+ AxEuclidean 

(* 

We also assume for now that lines, planes and lightcones are 
preserved by the worldview transformation. This can be proven. 

*) 

+ AxLines + AxPlanes + AxCones 

together with our proof of the standard claim that no inertial observer can travel faster than the 
speed of light. 

5 The proof 

The statement we wish to prove ("no inertial observer can travel faster than light") can be for- 
malised as: 

lemma noFTLObserver : 

assumes iobm: "10b m" 

and iobk: "10b k" 

and mke: "m sees k at e" 

and mkf : "m sees k at f" 

and enotf: "e ^ f" 
shows "space2 ef< (cm*cm) * time2 e f" 

To sec why, notice that the statement "k cannot travel faster than light" is meaningless as it 
stands. We need to say in whose opinion this statement is true, since the speed of light might 
depend on the observer. We therefore have to introduce a second inertial observer, m, in whose 
opinion the judgment is to be made. To find the speed at which k is moving, m needs to observe k 
at two different locations, e and f , and then determine the (square of the) ratio of the associated 
spatial and temporal separations. 

The proof itself is in five basic stages. 

Step 1. Assume the converse 

Suppose k is going faster than light (FTL) from m's viewpoint: 

assume converse: "space2 ef> (c m * c m) * time2 e f" 

Informally, we are saying that f lies outside m's lightcone at e. 

Step 2. Consider the cone at e 

Consider m's lightcone at e, and note that e is itself on this cone (since it is the cone's vertex), 
def eCone = "mkCone e (cm)" 

have e_on_econe: "onCone e eCone" by (simp add: eCone_def) 



Step 3. Identify the tangent plane containing f 

Step 1 tells us to assume that f is outside the cone. We can use the cone axioms to find a tangent 
plane containing f . Being a tangent plane, it will necessarily contain the vertex, e, as well. In 
addition, the axioms allow us to fix a point g so that the line joining g to the vertex is the line of 
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intersection between the cone and the tangent plane. Notice that g is distinct from both e and f , 
and together the three points define the tangent plane. 

have e_is_vertex: "e = vertex eCone" by (simp add: eCone_def) 
have cm_is_slope : "c m = slope eCone" by (simp add: eCone_def) 
hence outside: "outsideCone f eCone" 

by (metis (lifting) e_is_vertex cm_is_slope converse outsideCone . simps) 

have "outsideCone f eCone 

— > (3x. (onCone x eCone A x 7^ vertex eCone 
A inPlane f (tangentPlane x eCone)))" 
by (rule AxParallelConesE) 

hence tplane_exists : "3x. (onCone x eCone A x 7^ vertex eCone 
A inPlane f (tangentPlane x eCone))" 
by (smt outside) 

then obtain g where g_props : " (onCone g eCone A g 7^ vertex eCone 
A inPlane f (tangentPlane g eCone))" 
by auto 

have g_on_eCone: "onCone g eCone" by (metis g_props) 
have g_not_vertex: "g 7^ vertex eCone" by (metis g_props) 

(* ... and more ... *) 



Step 4. Switch to k's viewpoint 

Because m sees k at the distinct points e and f , k should also see himself at (his transformed 
versions of) those points, by AxEv. But each observer considers himself to be stationary, so k 
considers e and f to be distinct points on his time axis, by AxSelf . If k's worldline also passed 
through g, the points e, f and g would be collinear in k's worldview, and hence also in m's, and 
we know this not to be the case because e and g arc both in the tangent intersection line, while f 
is outside the cone. Consequently, g is not on k's time axis. 

def wvte = "wvt k m e" 
def wvtf = "wvt k m f " 
def wvtg = "wvt k m g" 

have "W k k wvte" by (metis wvte_def AxWVT mke iobm iobk) 
hence wvte_onAxis: "onAxisT wvte" by (metis AxSelf iobk) 

have "W k k wvtf" by (metis wvtf_def AxWVT mkf iobm iobk) 
hence wvtf_onAxis: "onAxisT wvtf" by (metis AxSelf iobk) 

have wvte_inv: "e = wvt m k wvte" by (metis AxWVTSym iobk iobm wvte_def) 
have wvtf_inv: "f = wvt m k wvtf" by (metis AxWVTSym iobk iobm wvtf_def) 
have wvtg_inv: "g = wvt m k wvtg" by (metis AxWVTSym iobk iobm wvtg_def) 

have e_riot_g: "e 7^ g" by (metis e_is_vertex g_not_vertex) 

have f_not_g: "f 7^ g" by (metis outside lemOutsideNotOnCone g_on_eCone) 

have wvt_ejiot_f : "wvte 7^ wvtf" by (metis wvte_inv wvtf_inv enotf) 
have wvt_f_not_g: "wvtf 7^ wvtg" by (metis wvtf_inv wvtg_inv f_not_g) 
have wvt_g_not_e: "wvtg 7^ wvte" by (metis wvtg_inv wvte_inv e_not_g) 
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have if_g_onAxis: "onAxisT wvtg — > collinear wvte wvtg wvtf" 
by (metis lemAxisIsLine wvte_onAxis wvtf_onAxis 
wvt_e_not_f wvt_f_not_g wvt^g_not_e) 

have "collinear wvte wvtg wvtf — > collinear e g f " 

by (metis AxLines iobm iobk wvte_inv wvtf_inv wvtg_inv) 
hence "onAxisT wvtg — > collinear e g f " by (metis if_g_onAxis) 

hence wvtg_of f Axis : "-i (onAxisT wvtg)" by (metis g_not_collinear) 



Step 5. Find a point z with impossible properties 

We have seen that e and f define the time axis (from k's point of view), and g lies off this axis. 
Consequently, because all lightcones are upright in special relativity, the line joining e to g has 
non-empty intersection with the k-lightcone at f . Call the point of intersection z, and observe that 
the k-lightcone at z contains both e and f . [Notice, however, that determining the coordinates of 
the point z typically involves the use of square roots, which is why we have assumed AxEuclidean.] 
Having obtained z, we will prove that its properties are contradictory. 

have "Vs.(3p.( collinear wvte wvtg p 

A (space2 p wvtf = (s*s)*time2 p wvtf)))" 
by (metis lemSlopedLinelnVerticalPlane 

wvte_onAxis wvtf_onAxis wvtg_offAxis wvt_e_not_f) 
hence exists_wvtz: "3p.( collinear wvte wvtg p 

A (space2 p wvtf = (c k * c k)*time2 p wvtf))" 
by metis 
then obtain wvtz where 

wvtz_props : "collinear wvte wvtg wvtz 

A (space2 wvtz wvtf = (c k * c k)*time2 wvtz wvtf)" by auto 
hence wvtf_speed: "space2 wvtz wvtf = (c k * c k)*time2 wvtz wvtf" 
by metis 

def z = "wvt m k wvtz" 

We know that f is on k's lightcone at z, and that lightcones are mapped to lightcones under 
worldview transformations. We can therefore switch to m's viewpoint, and at the same time deduce 
that z is on the lightcone at f . 

(* f is on the lightcone at z *) 
def zCone = "lightcone m z" 

have z_is_vertex: "z = vertex zCone" by (simp add: zCone_def) 
have cm_is_zSlope : "c m = slope zCone" by (simp add: zCone_def) 

have f_on_zCone: "onCone f zCone" 

by (metis wvtf_inv wvtf _on_wvtzCone zCone_def) 

(* whence z is on the lightcone at f *) 
hence "space2 (vertex zCone) f 

= (slope zCone * slope zCone)*time2 (vertex zCone) f" 

by (simp add: zCone_def) 
hence "space2 z f = (c m * c m)*time2 z f" 

by (metis z_is_vertex cm_is_zSlope) 
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hence fz_speed: "space2 f z = (c m * c m)*time2 f z" 
by (metis lemSpace2Sym lemTime2Sym) 

def fCone = "lightcone m f " 

have f_is_f Vertex : "f = vertex fCone" by (simp add: fCone_def) 
have cm_is_f Slope : "c m = slope fCone" by (simp add: fCone_def) 
hence "space2 (vertex fCone) z 

= ((slope fCone) * (slope f Cone) ) *time2 (vertex fCone) z" 
by (metis fz_speed f_is_fVertex cm_is_f Slope) 
hence z_on_fCone: "onCone z fCone" by (metis onCone . simps) 

Similarly, we can show that z is on the lightcone at e. However, the cones at e and f share 
the same tangent plane (because f lies in that plane) , whence the intersection lines at e and f are 
parallel (this is part of what it means to be a tangent plane, as expressed in the cone axioms). It 
follows that we have two distinct lines that intersect in a common point, z, despite being parallel. 

This provides the required contradiction. 

6 Discussion 

In practice, the most time-consuming part of this proof involved describing the geometric properties 
of spacetime - for example, deciding the best way to represent lines and planes, what it means for 
points to be collinear or coplanar, or what it means for two lines to be parallel. This suggests that 
Isabelle/HOL should provide an excellent vehicle for constructing future proofs relating to the 
more complex versions of relativity theory, because all standard models of general relativity are 
locally special relativistic. Consequently, we expect that work already invested in the construction 
of SpaceTime . thy (itself built on top of existing Isabelle/HOL libraries) will largely be re- usable. 

There remains, of course, a great deal more to be done. In addition to completing the proofs 
of other standard features of special relativity (for example, time dilation), we need to extend 
our work to both accelerating observers and their associated theorems (for example, the "twin 
paradox"), and observers in a gravitational field. Only then will we be in a position to model what 
it means for a spacetime to exhibit the Malament-Hogarth timing structures relevant to existing 
suggestions for cosmological (hyper)computation. We also plan to continue the investigation into 
the physical realisticity of computing with Malament-Hogarth spacetimes started in [ND06 , NA06] , 
not necessarily sticking with Kerr spacetime (cf. [ManlO] ). 

Finally, we would like to know to what extent the work developed here can be extended to 
encompass other physical systems - for example quantum mechanics - and whether new proof 
techniques or capabilities would be useful in that effort. For example, in the proof above it was 
necessary for us to determine the existence of a point z with certain coordinates. Although it was 
straightforward to compute those coordinates by hand, it would be convenient to have a system 
built into Isabelle/HOL that could do the construction on our behalf, or at least tell us whether 
a suitable point z exists. 
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